Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
P.F. Chang's The Latest Target?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/13/2014 | 9:59:04 AM
Re: Latest Target?
I have to agree with you. I work at a healthcare organization and I see how effective a "simple law" (putting it lightly) like HIPAA can be. Most of our fiscal decisions towards security initiatives you can link back to one HIPAA mandate or another. Not storing data on local drives, encrypting file storage, and among systems; IDS is a big one where HIPAA has very much forced the organization to get behind it. This is a very small subset of best practice that HIPAA has helped us accomplish.

The reason being these laws have repercussions for breaches and loss of data. And let me tell you, they are hefty when fiscally analyzed against incorporating security systems.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/12/2014 | 10:43:46 PM
EMV
Just when I wanted some Chinese. :) I think the focus at this point needs to be on EMV credit cards here in the U.S. It's not foolproof or anything, but I think it raises the level of difficulty for fraudsters.

BP
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/12/2014 | 4:50:53 PM
Multi-factor Biometrics
Really, we have gotten to the point where archaic technology like POS is just begging to be abused.  Retail as a whole must change, and while I heard a snigger or two as folks read my post subject, I'm quite serious.  Two of my favorite research subjects are quantum computing and biometrics.  A multi-factor biometrics security system for in-person retail purchasing would eliminate the majority of these "old school" hacks and save billions, if not trilllions, or dollars - a savings assuming we can pull off multi-factor biometric security for less than trillions!

If you don't believe POS is archaic and ready for retirement, dig into old - I mean old - issues of 2600 Hacker Quarterly, and then read every third issue until 2014.  Yes, POS along with many other similar retail systems just seem to evolve in micro-steps instead of moving aside for truly secure and efficient purchasing systems.  Innovate, for crying out loud.  Your average "cash only" retail shop is ultimately more secure than any store with POS or a similar charge system.  Might be why I eat a lot of noodle soup and milk tea with boba...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 4:22:36 PM
Re: Latest Target?
You would think that there is some evidence of improvement in the change of command at the top of Target -- together with today's news about the hring of Target's first CISO .  But getting the entire retail industry to make the investments they need to make is a huge commitment in culture change, not just $$.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/12/2014 | 2:55:28 PM
Re: Latest Target?
I disagree that making consumers responsible would be beneficial in the least.  However, I do agree that laws generally lead to checklist style compliance but, in the least it would get retailers moving.
RalphDaly28
50%
50%
RalphDaly28,
User Rank: Apprentice
6/12/2014 | 2:30:41 PM
Re: Latest Target?
A "simple law" that holds employees personally responsible will not be effective at addressing security. It might be a boon for the insurance industry as executives will refuse to work for a company that doesn't cover that risk for them. Think that will increase spending on security or insurance? Consumers already care even though their exposure is limited. If you don't think retailers are being held responsible take a look at Target's sales and profits since the breach. Laws can't fix technology and social problems. They generally only make them worse especially when the people writing them are clueless about how the world works.  Or in the words of Ludwig Von Mises: "Economic history is a long record of government policies that failed because they were designed with a bold disregard for the laws of economics."
ecowper
0%
100%
ecowper,
User Rank: Apprentice
6/12/2014 | 1:24:13 PM
Re: Latest Target?
Robert said: "I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands."

 

I spent some time in the healthcare industry, both as a consultant and a CISO. A new law only does two things. 

1. Create a compliance regime and bureaucracy, whose focus will be to make sure that their organizations can check the boxes saying they comply. Frankly, compliance/checkbox security has been a major problem for security, not a factor to improve security, for a long time now. 

2. The law sets up a checkbox approach to solving the problems that caused yesterday's breaches. While preventing those is important, we are not going to get ahead of the game that way. 

The real solution, I would posit, is very simple and two-fold. First, a very simple law, one that makes the CEO, CFO and the Board of Directors as a group and individuals liable for protecting credit cards, PII, etc. Second, change credit card fraud laws. Right now, the consumer has no skin in the game because the issuing bank has to make them whole, by law. Consumers are feeling no pain from all the credit card breaches, so they really don't care. And thus, no pressure is ever put on the retailers who failed in their obligation to protect the data. 

My two cents worth. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/12/2014 | 11:09:19 AM
Re: Latest Target?
I think you are exactly correct.  Companies tend to not spend money on security unless they see it as a major threat to the bottom line.  Historically, point of sale machines were viewed as "dumb terminals" without the need of security.  However, as we are all well aware, this is not the case any longer.

I think retailers will eventually get around to putting secure POS systems in place but I also think it will be much too slow.  I hate to say it, but what is needed here is a law (think HIPAA) to force retailers hands.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/12/2014 | 10:31:31 AM
Re: Latest Target?
This is a very disturbing notion.  I feel that despite past events organizations are handling this as catastrophe based event. For example, buying a house in an area that could possibly be hit with a tornado or another natural disaster. You know the possibility is there but you don't ever believe it will happen to you. I think organizations are weighing the risk against budget and because this is happening to a subset of the overall retail company base I think they've decided that the cost of securing the PoS systems outweighs the probability of breach.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 9:46:15 AM
Re: Latest Target?
I'm amazed at how little has changed in the aftermath of Target et al – and now PF Chang.We have a poll running on the site that asks the question: Have the headlines surrounding data breaches like Target's changed your company's policies around managing risk and securing data? More than half of respondents to date say that it's either "busness as usual" or "Eh, we're hearing a lot of talk from the C suite, but no action or budget."           

You can check out the results here and add your two cents, if you haven't already. 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20399
PUBLISHED: 2021-07-27
IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196073.
CVE-2021-20562
PUBLISHED: 2021-07-27
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_3 and 6.1.0.0 through 6.1.0.2 vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclos...
CVE-2020-18428
PUBLISHED: 2021-07-26
tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS).
CVE-2020-18430
PUBLISHED: 2021-07-26
tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS).
CVE-2021-37576
PUBLISHED: 2021-07-26
arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.